i've noticed on the cluster objects that the "cluster XL" option is ticked.

i assume this is not needed, due to the fact we're running VRRP

we also running Firewall, IPsecVPn, IPS,AntiBot, Antivirus Monitoring, APP control and URL filtering

can i just disable and push policy?
]]>R77.30Spikyhttps://www.cpug.org/forums/showthread.php/22396-VRRP-ClusterXL-queryHot Fix Installation Verifierhttps://www.cpug.org/forums/showthread.php/22394-Hot-Fix-Installation-Verifier?goto=newpost
Sat, 17 Feb 2018 15:17:02 GMTIs there a way to verify Hot Fix installation package when installing without using CPUSE?
Thanks
RavindraIs there a way to verify Hot Fix installation package when installing without using CPUSE?

Thanks
Ravindra
]]>R77.30ravindra692https://www.cpug.org/forums/showthread.php/22394-Hot-Fix-Installation-VerifierSomething weird issue with mssql connectionhttps://www.cpug.org/forums/showthread.php/22391-Something-weird-issue-with-mssql-connection?goto=newpost
Fri, 16 Feb 2018 06:16:08 GMTHello,
I am facing kind of weird issue with MSSQL Server, I have this server which connect to SQL server on Internet on port 1433. Now here is the issue
Somehow this server is not able to connect to External server
1. If that server is on Internet dongle Outbound connection port 1433 works fine
2. If the server put directly on Internet it works fine
3. I tried Static NAT it does not work, Hide nat still same issue
4. No drops nothing is observed on CP
5. Disabled all bladed except FW same issue
6. Even replaced the firewall and it WORKS
7. fw ctl zdebug does not show any drops..
I am complete clueless here..please advise.Hello,

I am facing kind of weird issue with MSSQL Server, I have this server which connect to SQL server on Internet on port 1433. Now here is the issue

Somehow this server is not able to connect to External server

If that server is on Internet dongle Outbound connection port 1433 works fine

If the server put directly on Internet it works fine

I tried Static NAT it does not work, Hide nat still same issue

No drops nothing is observed on CP

Disabled all bladed except FW same issue

Even replaced the firewall and it WORKS

fw ctl zdebug does not show any drops..

I am complete clueless here..please advise.
]]>R77.30blasonhttps://www.cpug.org/forums/showthread.php/22391-Something-weird-issue-with-mssql-connectionSite-to-Site VPN intermittent Connectivityhttps://www.cpug.org/forums/showthread.php/22386-Site-to-Site-VPN-intermittent-Connectivity?goto=newpost
Wed, 14 Feb 2018 13:34:17 GMTHello
I have a VPN connectivity problem with one of our vendors. We have Checkpoint VSX running R77.30 on it and the Vendor has cisco ASA.
I can see the VPN tunnel is UP in Smart Monitor and I can also see the Encrypt traffic going out in the smart view tracker.
I used Fw monitor to get a better idea, I can see the SYN packets going out on both the ingress and egress interface, but the vendor is not seeing this traffic coming on their firewalls.
After a few minutes without making any changes on both ends the connectivity is restored.
Can anyone help me to give an insight about this? This is happening for a quite while now.
Thanks
RaviHello

I have a VPN connectivity problem with one of our vendors. We have Checkpoint VSX running R77.30 on it and the Vendor has cisco ASA.

I can see the VPN tunnel is UP in Smart Monitor and I can also see the Encrypt traffic going out in the smart view tracker.

I used Fw monitor to get a better idea, I can see the SYN packets going out on both the ingress and egress interface, but the vendor is not seeing this traffic coming on their firewalls.

After a few minutes without making any changes on both ends the connectivity is restored.

Can anyone help me to give an insight about this? This is happening for a quite while now.

Thanks
Ravi
]]>R77.30ravindra692https://www.cpug.org/forums/showthread.php/22386-Site-to-Site-VPN-intermittent-ConnectivityNatting behind different ISPshttps://www.cpug.org/forums/showthread.php/22380-Natting-behind-different-ISPs?goto=newpost
Thu, 08 Feb 2018 10:53:01 GMTHi Guys,
I have internal range 10.10.10./24 and have 3 ISPs since CP does not support more than 2 ISP in ISP redundancy need to know if 10.10.10.1-10.10.10.128 can be natted behind one ISP while 10.10.10.128-10.10.10.200 will be natted behind other while 10.10.10.200-10.10.10.254 behind third?
I agree I wont get Redundancy and I am OK with it. Please let me know if that would be possible.Hi Guys,

I have internal range 10.10.10./24 and have 3 ISPs since CP does not support more than 2 ISP in ISP redundancy need to know if 10.10.10.1-10.10.10.128 can be natted behind one ISP while 10.10.10.128-10.10.10.200 will be natted behind other while 10.10.10.200-10.10.10.254 behind third?

I agree I wont get Redundancy and I am OK with it. Please let me know if that would be possible.
]]>R77.30blasonhttps://www.cpug.org/forums/showthread.php/22380-Natting-behind-different-ISPsingress/egress on same interfacehttps://www.cpug.org/forums/showthread.php/22375-ingress-egress-on-same-interface?goto=newpost
Mon, 05 Feb 2018 14:15:46 GMTI have to migrate rules from another firewall vendor, where the packet leaves the firewall on the same interface (egress interface) as it has entered the firewall (ingress interface).
As far as I know, this is one of the little nasty things Check Point Software can't do. Am I right?
]]>R77.30slowfood27https://www.cpug.org/forums/showthread.php/22375-ingress-egress-on-same-interfaceconfig_system: command not foundhttps://www.cpug.org/forums/showthread.php/22371-config_system-command-not-found?goto=newpost
Fri, 02 Feb 2018 09:03:43 GMT renamed it and command works now.
But: It does not really clear the gaia config, old stuff is still there.
So how do I get my gaia config cleared?]]>Just re-imaged a 12400 to R77.30 Jumbo take 292 using the blink mechanism, didi the initial configuration and modified some system configs.
Now I want to clear the whole gaia config using the config_system command, which is not found

edit: there is /etc/config_system.orig --> renamed it and command works now.

But: It does not really clear the gaia config, old stuff is still there.

So how do I get my gaia config cleared?
]]>R77.30slowfood27https://www.cpug.org/forums/showthread.php/22371-config_system-command-not-foundHide NAT only half workinghttps://www.cpug.org/forums/showthread.php/22370-Hide-NAT-only-half-working?goto=newpost
Fri, 02 Feb 2018 02:11:03 GMT 192.168.10.10
10.1.1.1 -> 192.168.10.0
192.168.10.10 -> 10.1.1.1
You can see the last part of the nat is missing (10.1.1.1 ->10.10.10.5), the connection times-out even though the server has replied.
I cannot quite figure it out, I have this issue only when the interface is directly connected to the checkpoint, internal traffic for example can leave the firewall out the external interface and be hidden with no issues.
Alternatively is there a way I can create a virtual Ip 10.1.1.254 on the firewall? (not sure if that will actually fix it however)
any ideas?
thanks!]]>Hi guys,

Have a cluster of 12600's plenty of existing hide nats are working just fine, but this scenario seems to be specific to where an IP reside son a connected interface.

You can see the last part of the nat is missing (10.1.1.1 ->10.10.10.5), the connection times-out even though the server has replied.

I cannot quite figure it out, I have this issue only when the interface is directly connected to the checkpoint, internal traffic for example can leave the firewall out the external interface and be hidden with no issues.

Alternatively is there a way I can create a virtual Ip 10.1.1.254 on the firewall? (not sure if that will actually fix it however)

any ideas?

thanks!
]]>R77.30Flamerhttps://www.cpug.org/forums/showthread.php/22370-Hide-NAT-only-half-workingSmart Dashboard login issue R77.30 open server.https://www.cpug.org/forums/showthread.php/22368-Smart-Dashboard-login-issue-R77-30-open-server?goto=newpost
Thu, 01 Feb 2018 09:53:55 GMTHello,
recently we install Gaia R77.30 on an Open server for management only and configured successfully and able to access through web GUI and SSH we allowed our Dashboard system IP address in GUI client also.
when trying to connect through dashboard we are getting below error
Connection cannot be initiated, please make sure that the server X.X.X.X server is up and running and you are defined as GUI client.
Please help to resolve
Thanks,
PremHello,

recently we install Gaia R77.30 on an Open server for management only and configured successfully and able to access through web GUI and SSH we allowed our Dashboard system IP address in GUI client also.

when trying to connect through dashboard we are getting below error

Connection cannot be initiated, please make sure that the server X.X.X.X server is up and running and you are defined as GUI client.

Hope somebody can help, we have two issues developing with site-to-site VPN connections (different tunnels) The users are connecting and the tunnel comes up and they start work, One is a sftp transfer and the other is a data export. During this time (randomly) the connection fails and they have to reconnect, sometimes it comes back up straight away or takes a few minutes. I'm new to checkpoint and would like some pointers as to were to start to trouble shoot this issue please.

Our checkpoint VPN has a VPN to client ASA and Security Association is failing to get established.
As a result I am seeing error: "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information"

Upon checking, it looks like our local subnet which is a /22 is being advertised to the peer as /16 (summarized), but they are expecting traffic from /22 subnet.

Is there a way we can define the local encryption domain just for the ASA VPN peer to make sure they receive our subnet as /22 and not /16?
]]>R77.30jessicahttps://www.cpug.org/forums/showthread.php/22364-VPN-advertising-wrong-subnet-to-the-peer-and-traffic-getting-droppedAsymmentric Routing when accessing gateway cluster members?https://www.cpug.org/forums/showthread.php/22361-Asymmentric-Routing-when-accessing-gateway-cluster-members?goto=newpost
Mon, 29 Jan 2018 19:27:47 GMTHaving an issue where ssh/web attempts to members of a gateway cluster result in dropped packets with the error of: TCP packet out of state: Unexpected post SYN packet - RST or SYN expected
tcp_flags: ACK

It does not go into much detail as to why this is happening on my gateways or what I may have misconfigured where such that I can address the real issue rather than using this proposed solution.

Can anyone point me to what I might have configured incorrectly that is causing this? I have verified that the fix in the CP SK does in fact fix it but I would prefer to get to the root of the issue if I can.

Thanks
]]>R77.30infrared013https://www.cpug.org/forums/showthread.php/22361-Asymmentric-Routing-when-accessing-gateway-cluster-membersSSH Access to Gateway works only on Mgmt interfacehttps://www.cpug.org/forums/showthread.php/22359-SSH-Access-to-Gateway-works-only-on-Mgmt-interface?goto=newpost
Thu, 25 Jan 2018 21:58:50 GMTJust replaced a 12400 Cluster with new 15400 HW.
All is fine, except that the cluster member accept ssh connection only on the Mgmt interface.